@noble/curves 0.5.2 → 0.6.1

package/lib/ed448.js

@@ -1,12 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.x448 = exports.ed448ph = exports.ed448 = void 0;
+exports.encodeToCurve = exports.hashToCurve = exports.x448 = exports.ed448ph = exports.ed448 = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const sha3_1 = require("@noble/hashes/sha3");
 const utils_1 = require("@noble/hashes/utils");
 const edwards_js_1 = require("./abstract/edwards.js");
 const modular_js_1 = require("./abstract/modular.js");
 const montgomery_js_1 = require("./abstract/montgomery.js");
+const htf = require("./abstract/hash-to-curve.js");
 /**
  * Edwards448 (not Ed448-Goldilocks) curve with following addons:
  * * X448 ECDH
@@ -49,79 +50,6 @@ function adjustScalarBytes(bytes) {
     return bytes;
 }
 const Fp = (0, modular_js_1.Fp)(ed448P, 456, true);
-// Hash To Curve Elligator2 Map
-const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
-const ELL2_J = BigInt(156326);
-function map_to_curve_elligator2_curve448(u) {
-    let tv1 = Fp.square(u); // 1.  tv1 = u^2
-    let e1 = Fp.equals(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
-    tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
-    let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
-    let x1n = Fp.negate(ELL2_J); // 5.  x1n = -J
-    let tv2 = Fp.square(xd); // 6.  tv2 = xd^2
-    let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
-    let gx1 = Fp.mul(tv1, Fp.negate(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
-    gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
-    gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
-    gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
-    let tv3 = Fp.square(gxd); // 12. tv3 = gxd^2
-    tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
-    tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
-    let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
-    y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
-    let x2n = Fp.mul(x1n, Fp.negate(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
-    let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
-    y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
-    tv2 = Fp.square(y1); // 20. tv2 = y1^2
-    tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
-    let e2 = Fp.equals(tv2, gx1); // 22.  e2 = tv2 == gx1
-    let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
-    let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
-    let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
-    y = Fp.cmov(y, Fp.negate(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
-    return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
-}
-function map_to_curve_elligator2_edwards448(u) {
-    let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
-    let xn2 = Fp.square(xn); // 2.  xn2 = xn^2
-    let xd2 = Fp.square(xd); // 3.  xd2 = xd^2
-    let xd4 = Fp.square(xd2); // 4.  xd4 = xd2^2
-    let yn2 = Fp.square(yn); // 5.  yn2 = yn^2
-    let yd2 = Fp.square(yd); // 6.  yd2 = yd^2
-    let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
-    let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
-    xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
-    xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
-    xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
-    xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
-    tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
-    tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
-    let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
-    let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
-    tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
-    let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
-    tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
-    let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
-    let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
-    yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
-    yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
-    tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
-    tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
-    tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
-    tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
-    tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
-    let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
-    tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
-    yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
-    tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
-    let e = Fp.equals(tv1, Fp.ZERO); // 33.   e = tv1 == 0
-    xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
-    xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
-    yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
-    yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
-    const inv = Fp.invertBatch([xEd, yEd]); // batch division
-    return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
-}
 const ED448_DEF = {
     // Param: a
     a: BigInt(1),
@@ -169,15 +97,6 @@ const ED448_DEF = {
         // square root exists, and the decoding fails.
         return { isValid: (0, modular_js_1.mod)(x2 * v, P) === u, value: x };
     },
-    htfDefaults: {
-        DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 224,
-        expand: 'xof',
-        hash: sha3_1.shake256,
-    },
-    mapToCurve: (scalars) => map_to_curve_elligator2_edwards448(scalars[0]),
 };
 exports.ed448 = (0, edwards_js_1.twistedEdwards)(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default
@@ -210,3 +129,87 @@ exports.x448 = (0, montgomery_js_1.montgomery)({
     //   return numberToBytesLE(u, 56);
     // },
 });
+// Hash To Curve Elligator2 Map
+const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_J = BigInt(156326);
+function map_to_curve_elligator2_curve448(u) {
+    let tv1 = Fp.sqr(u); // 1.  tv1 = u^2
+    let e1 = Fp.eql(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
+    tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
+    let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
+    let x1n = Fp.neg(ELL2_J); // 5.  x1n = -J
+    let tv2 = Fp.sqr(xd); // 6.  tv2 = xd^2
+    let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
+    let gx1 = Fp.mul(tv1, Fp.neg(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
+    gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
+    gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
+    gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+    let tv3 = Fp.sqr(gxd); // 12. tv3 = gxd^2
+    tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
+    tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
+    let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
+    y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
+    let x2n = Fp.mul(x1n, Fp.neg(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
+    let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
+    y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
+    tv2 = Fp.sqr(y1); // 20. tv2 = y1^2
+    tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
+    let e2 = Fp.eql(tv2, gx1); // 22.  e2 = tv2 == gx1
+    let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
+    let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
+    let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
+    y = Fp.cmov(y, Fp.neg(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
+    return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
+}
+function map_to_curve_elligator2_edwards448(u) {
+    let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
+    let xn2 = Fp.sqr(xn); // 2.  xn2 = xn^2
+    let xd2 = Fp.sqr(xd); // 3.  xd2 = xd^2
+    let xd4 = Fp.sqr(xd2); // 4.  xd4 = xd2^2
+    let yn2 = Fp.sqr(yn); // 5.  yn2 = yn^2
+    let yd2 = Fp.sqr(yd); // 6.  yd2 = yd^2
+    let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
+    let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
+    xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
+    xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
+    xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
+    xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
+    tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
+    tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
+    let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
+    let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
+    tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
+    let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
+    tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
+    let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
+    let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
+    yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
+    yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
+    tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
+    tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
+    tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
+    tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
+    tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
+    let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
+    tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
+    yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
+    tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
+    let e = Fp.eql(tv1, Fp.ZERO); // 33.   e = tv1 == 0
+    xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
+    xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
+    yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
+    yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
+    const inv = Fp.invertBatch([xEd, yEd]); // batch division
+    return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
+}
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(exports.ed448.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
+    DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
+    encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 224,
+    expand: 'xof',
+    hash: sha3_1.shake256,
+});
+exports.hashToCurve = hashToCurve;
+exports.encodeToCurve = encodeToCurve;

package/lib/esm/abstract/bls.js

@@ -1,14 +1,16 @@
-import * as ut from './utils.js';
-import { stringToBytes, hash_to_field as hashToField, expand_message_xmd as expandMessageXMD, } from './hash-to-curve.js';
-import { weierstrassPoints } from './weierstrass.js';
+import { hashToPrivateScalar } from './modular.js';
+import { bitLen, bitGet, hexToBytes, bytesToHex } from './utils.js';
+import * as htf from './hash-to-curve.js';
+import { weierstrassPoints, } from './weierstrass.js';
 export function bls(CURVE) {
     // Fields looks pretty specific for curve, so for now we need to pass them with options
     const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE;
-    const BLS_X_LEN = ut.bitLen(CURVE.x);
+    const BLS_X_LEN = bitLen(CURVE.x);
     const groupLen = 32; // TODO: calculate; hardcoded for now
     // Pre-compute coefficients for sparse multiplication
     // Point addition and point double calculations is reused for coefficients
-    function calcPairingPrecomputes(x, y) {
+    function calcPairingPrecomputes(p) {
+        const { x, y } = p;
         // prettier-ignore
         const Qx = x, Qy = y, Qz = Fp2.ONE;
         // prettier-ignore
@@ -16,32 +18,32 @@ export function bls(CURVE) {
         let ell_coeff = [];
         for (let i = BLS_X_LEN - 2; i >= 0; i--) {
             // Double
-            let t0 = Fp2.square(Ry); // Ry²
-            let t1 = Fp2.square(Rz); // Rz²
+            let t0 = Fp2.sqr(Ry); // Ry²
+            let t1 = Fp2.sqr(Rz); // Rz²
             let t2 = Fp2.multiplyByB(Fp2.mul(t1, 3n)); // 3 * T1 * B
             let t3 = Fp2.mul(t2, 3n); // 3 * T2
-            let t4 = Fp2.sub(Fp2.sub(Fp2.square(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
+            let t4 = Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
             ell_coeff.push([
                 Fp2.sub(t2, t0),
-                Fp2.mul(Fp2.square(Rx), 3n),
-                Fp2.negate(t4), // -T4
+                Fp2.mul(Fp2.sqr(Rx), 3n),
+                Fp2.neg(t4), // -T4
             ]);
             Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
-            Ry = Fp2.sub(Fp2.square(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.square(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
+            Ry = Fp2.sub(Fp2.sqr(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.sqr(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
             Rz = Fp2.mul(t0, t4); // T0 * T4
-            if (ut.bitGet(CURVE.x, i)) {
+            if (bitGet(CURVE.x, i)) {
                 // Addition
                 let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
                 let t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
                 ell_coeff.push([
                     Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)),
-                    Fp2.negate(t0),
+                    Fp2.neg(t0),
                     t1, // T1
                 ]);
-                let t2 = Fp2.square(t1); // T1²
+                let t2 = Fp2.sqr(t1); // T1²
                 let t3 = Fp2.mul(t2, t1); // T2 * T1
                 let t4 = Fp2.mul(t2, Rx); // T2 * Rx
-                let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, 2n)), Fp2.mul(Fp2.square(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
+                let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, 2n)), Fp2.mul(Fp2.sqr(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
                 Rx = Fp2.mul(t1, t5); // T1 * T5
                 Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
                 Rz = Fp2.mul(Rz, t3); // Rz * T3
@@ -57,115 +59,114 @@ export function bls(CURVE) {
         for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
             const E = ell[j];
             f12 = Fp12.multiplyBy014(f12, E[0], Fp2.mul(E[1], Px), Fp2.mul(E[2], Py));
-            if (ut.bitGet(x, i)) {
+            if (bitGet(x, i)) {
                 j += 1;
                 const F = ell[j];
                 f12 = Fp12.multiplyBy014(f12, F[0], Fp2.mul(F[1], Px), Fp2.mul(F[2], Py));
             }
             if (i !== 0)
-                f12 = Fp12.square(f12);
+                f12 = Fp12.sqr(f12);
         }
         return Fp12.conjugate(f12);
     }
     const utils = {
-        hexToBytes: ut.hexToBytes,
-        bytesToHex: ut.bytesToHex,
-        stringToBytes: stringToBytes,
+        hexToBytes: hexToBytes,
+        bytesToHex: bytesToHex,
+        stringToBytes: htf.stringToBytes,
         // TODO: do we need to export it here?
-        hashToField: (msg, count, options = {}) => hashToField(msg, count, { ...CURVE.htfDefaults, ...options }),
-        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => expandMessageXMD(msg, DST, lenInBytes, H),
-        hashToPrivateKey: (hash) => Fr.toBytes(ut.hashToPrivateScalar(hash, CURVE.r)),
+        hashToField: (msg, count, options = {}) => htf.hash_to_field(msg, count, { ...CURVE.htfDefaults, ...options }),
+        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => htf.expand_message_xmd(msg, DST, lenInBytes, H),
+        hashToPrivateKey: (hash) => Fr.toBytes(hashToPrivateScalar(hash, CURVE.r)),
         randomBytes: (bytesLength = groupLen) => CURVE.randomBytes(bytesLength),
         randomPrivateKey: () => utils.hashToPrivateKey(utils.randomBytes(groupLen + 8)),
-        getDSTLabel: () => CURVE.htfDefaults.DST,
-        setDSTLabel(newLabel) {
-            // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3.1
-            if (typeof newLabel !== 'string' || newLabel.length > 2048 || newLabel.length === 0) {
-                throw new TypeError('Invalid DST');
-            }
-            CURVE.htfDefaults.DST = newLabel;
-        },
     };
     // Point on G1 curve: (x, y)
     const G1 = weierstrassPoints({
         n: Fr.ORDER,
         ...CURVE.G1,
     });
+    const G1HashToCurve = htf.hashToCurve(G1.ProjectivePoint, CURVE.G1.mapToCurve, {
+        ...CURVE.htfDefaults,
+        ...CURVE.G1.htfDefaults,
+    });
     function pairingPrecomputes(point) {
         const p = point;
         if (p._PPRECOMPUTES)
             return p._PPRECOMPUTES;
-        p._PPRECOMPUTES = calcPairingPrecomputes(p.x, p.y);
+        p._PPRECOMPUTES = calcPairingPrecomputes(point.toAffine());
         return p._PPRECOMPUTES;
     }
-    function clearPairingPrecomputes(point) {
-        const p = point;
-        p._PPRECOMPUTES = undefined;
-    }
-    clearPairingPrecomputes;
-    function millerLoopG1(Q, P) {
-        return millerLoop(pairingPrecomputes(P), [Q.x, Q.y]);
-    }
+    // TODO: export
+    // function clearPairingPrecomputes(point: G2) {
+    //   const p = point as G2 & withPairingPrecomputes;
+    //   p._PPRECOMPUTES = undefined;
+    // }
     // Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
     const G2 = weierstrassPoints({
         n: Fr.ORDER,
         ...CURVE.G2,
     });
+    const C = G2.ProjectivePoint; // TODO: fix
+    const G2HashToCurve = htf.hashToCurve(C, CURVE.G2.mapToCurve, {
+        ...CURVE.htfDefaults,
+        ...CURVE.G2.htfDefaults,
+    });
     const { Signature } = CURVE.G2;
     // Calculates bilinear pairing
-    function pairing(P, Q, withFinalExponent = true) {
-        if (P.equals(G1.Point.ZERO) || Q.equals(G2.Point.ZERO))
-            throw new Error('No pairings at point of Infinity');
-        P.assertValidity();
+    function pairing(Q, P, withFinalExponent = true) {
+        if (Q.equals(G1.ProjectivePoint.ZERO) || P.equals(G2.ProjectivePoint.ZERO))
+            throw new Error('pairing is not available for ZERO point');
         Q.assertValidity();
+        P.assertValidity();
         // Performance: 9ms for millerLoop and ~14ms for exp.
-        const looped = millerLoopG1(P, Q);
+        const Qa = Q.toAffine();
+        const looped = millerLoop(pairingPrecomputes(P), [Qa.x, Qa.y]);
         return withFinalExponent ? Fp12.finalExponentiate(looped) : looped;
     }
     function normP1(point) {
-        return point instanceof G1.Point ? point : G1.Point.fromHex(point);
+        return point instanceof G1.ProjectivePoint ? point : G1.ProjectivePoint.fromHex(point);
     }
     function normP2(point) {
-        return point instanceof G2.Point ? point : Signature.decode(point);
+        return point instanceof G2.ProjectivePoint ? point : Signature.decode(point);
     }
-    function normP2Hash(point) {
-        return point instanceof G2.Point ? point : G2.Point.hashToCurve(point);
+    function normP2Hash(point, htfOpts) {
+        return point instanceof G2.ProjectivePoint
+            ? point
+            : G2HashToCurve.hashToCurve(point, htfOpts);
     }
     // Multiplies generator by private key.
     // P = pk x G
     function getPublicKey(privateKey) {
-        return G1.Point.fromPrivateKey(privateKey).toRawBytes(true);
+        return G1.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
     }
-    function sign(message, privateKey) {
-        const msgPoint = normP2Hash(message);
+    function sign(message, privateKey, htfOpts) {
+        const msgPoint = normP2Hash(message, htfOpts);
         msgPoint.assertValidity();
         const sigPoint = msgPoint.multiply(G1.normalizePrivateKey(privateKey));
-        if (message instanceof G2.Point)
+        if (message instanceof G2.ProjectivePoint)
             return sigPoint;
         return Signature.encode(sigPoint);
     }
     // Checks if pairing of public key & hash is equal to pairing of generator & signature.
     // e(P, H(m)) == e(G, S)
-    function verify(signature, message, publicKey) {
+    function verify(signature, message, publicKey, htfOpts) {
         const P = normP1(publicKey);
-        const Hm = normP2Hash(message);
-        const G = G1.Point.BASE;
+        const Hm = normP2Hash(message, htfOpts);
+        const G = G1.ProjectivePoint.BASE;
         const S = normP2(signature);
         // Instead of doing 2 exponentiations, we use property of billinear maps
         // and do one exp after multiplying 2 points.
         const ePHm = pairing(P.negate(), Hm, false);
         const eGS = pairing(G, S, false);
         const exp = Fp12.finalExponentiate(Fp12.mul(eGS, ePHm));
-        return Fp12.equals(exp, Fp12.ONE);
+        return Fp12.eql(exp, Fp12.ONE);
     }
     function aggregatePublicKeys(publicKeys) {
         if (!publicKeys.length)
             throw new Error('Expected non-empty array');
-        const agg = publicKeys
-            .map(normP1)
-            .reduce((sum, p) => sum.add(G1.ProjectivePoint.fromAffine(p)), G1.ProjectivePoint.ZERO);
-        const aggAffine = agg.toAffine();
-        if (publicKeys[0] instanceof G1.Point) {
+        const agg = publicKeys.map(normP1).reduce((sum, p) => sum.add(p), G1.ProjectivePoint.ZERO);
+        const aggAffine = agg; //.toAffine();
+        if (publicKeys[0] instanceof G1.ProjectivePoint) {
             aggAffine.assertValidity();
             return aggAffine;
         }
@@ -175,11 +176,9 @@ export function bls(CURVE) {
     function aggregateSignatures(signatures) {
         if (!signatures.length)
             throw new Error('Expected non-empty array');
-        const agg = signatures
-            .map(normP2)
-            .reduce((sum, s) => sum.add(G2.ProjectivePoint.fromAffine(s)), G2.ProjectivePoint.ZERO);
-        const aggAffine = agg.toAffine();
-        if (signatures[0] instanceof G2.Point) {
+        const agg = signatures.map(normP2).reduce((sum, s) => sum.add(s), G2.ProjectivePoint.ZERO);
+        const aggAffine = agg; //.toAffine();
+        if (signatures[0] instanceof G2.ProjectivePoint) {
             aggAffine.assertValidity();
             return aggAffine;
         }
@@ -187,33 +186,34 @@ export function bls(CURVE) {
     }
     // https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
     // e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
-    function verifyBatch(signature, messages, publicKeys) {
+    function verifyBatch(signature, messages, publicKeys, htfOpts) {
+        // @ts-ignore
+        // console.log('verifyBatch', bytesToHex(signature as any), messages, publicKeys.map(bytesToHex));
         if (!messages.length)
             throw new Error('Expected non-empty messages array');
         if (publicKeys.length !== messages.length)
             throw new Error('Pubkey count should equal msg count');
         const sig = normP2(signature);
-        const nMessages = messages.map(normP2Hash);
+        const nMessages = messages.map((i) => normP2Hash(i, htfOpts));
         const nPublicKeys = publicKeys.map(normP1);
         try {
             const paired = [];
             for (const message of new Set(nMessages)) {
-                const groupPublicKey = nMessages.reduce((groupPublicKey, subMessage, i) => subMessage === message ? groupPublicKey.add(nPublicKeys[i]) : groupPublicKey, G1.Point.ZERO);
+                const groupPublicKey = nMessages.reduce((groupPublicKey, subMessage, i) => subMessage === message ? groupPublicKey.add(nPublicKeys[i]) : groupPublicKey, G1.ProjectivePoint.ZERO);
                 // const msg = message instanceof PointG2 ? message : await PointG2.hashToCurve(message);
                 // Possible to batch pairing for same msg with different groupPublicKey here
                 paired.push(pairing(groupPublicKey, message, false));
             }
-            paired.push(pairing(G1.Point.BASE.negate(), sig, false));
+            paired.push(pairing(G1.ProjectivePoint.BASE.negate(), sig, false));
             const product = paired.reduce((a, b) => Fp12.mul(a, b), Fp12.ONE);
             const exp = Fp12.finalExponentiate(product);
-            return Fp12.equals(exp, Fp12.ONE);
+            return Fp12.eql(exp, Fp12.ONE);
         }
         catch {
             return false;
         }
     }
-    // Pre-compute points. Refer to README.
-    G1.Point.BASE._setWindowSize(4);
+    G1.ProjectivePoint.BASE._setWindowSize(4);
     return {
         CURVE,
         Fr,
@@ -226,6 +226,7 @@ export function bls(CURVE) {
         Signature,
         millerLoop,
         calcPairingPrecomputes,
+        hashToCurve: { G1: G1HashToCurve, G2: G2HashToCurve },
         pairing,
         getPublicKey,
         sign,

package/lib/esm/abstract/{group.js → curve.js}

@@ -1,8 +1,11 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Abelian group utilities
+import { validateField, nLength } from './modular.js';
+import { validateObject } from './utils.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
-// Not big, but pretty complex and it is easy to break stuff. To avoid too much copy paste
+// Elliptic curve multiplication of Point by scalar. Complicated and fragile. Uses wNAF method.
+// Windowed method is 10% faster, but takes 2x longer to generate & consumes 2x memory.
 export function wNAF(c, bits) {
     const constTimeNegate = (condition, item) => {
         const neg = item.negate();
@@ -104,5 +107,32 @@ export function wNAF(c, bits) {
             // which makes it less const-time: around 1 bigint multiply.
             return { p, f };
         },
+        wNAFCached(P, precomputesMap, n, transform) {
+            // @ts-ignore
+            const W = P._WINDOW_SIZE || 1;
+            // Calculate precomputes on a first run, reuse them after
+            let comp = precomputesMap.get(P);
+            if (!comp) {
+                comp = this.precomputeWindow(P, W);
+                if (W !== 1) {
+                    precomputesMap.set(P, transform(comp));
+                }
+            }
+            return this.wNAF(W, comp, n);
+        },
     };
 }
+export function validateBasic(curve) {
+    validateField(curve.Fp);
+    validateObject(curve, {
+        n: 'bigint',
+        h: 'bigint',
+        Gx: 'field',
+        Gy: 'field',
+    }, {
+        nBitLength: 'isSafeInteger',
+        nByteLength: 'isSafeInteger',
+    });
+    // Set defaults
+    return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve });
+}